WP-Safety
CVE-2026-4267

Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.20.4
Patched in
7d
Time to patch

Description

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.20.3
PublishedMarch 30, 2026
Last updatedApril 6, 2026
Affected pluginquery-monitor

What Changed in the Fix

Changes introduced in v3.20.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.20.3
Browse source Download .zip
Patched v3.20.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-4267 (Query Monitor <= 3.20.3) ## 1. Vulnerability Summary **Query Monitor** (versions 3.20.3 and below) is vulnerable to **Reflected Cross-Site Scripting (XSS)**. The vulnerability arises because the plugin captures and subsequently displays the `$_SERVER['R…

Show full research plan

Exploitation Research Plan - CVE-2026-4267 (Query Monitor <= 3.20.3)

1. Vulnerability Summary

Query Monitor (versions 3.20.3 and below) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability arises because the plugin captures and subsequently displays the $_SERVER['REQUEST_URI'] within its developer panels (specifically the "Overview" and "Request" panels) without sufficient sanitization or context-aware escaping.

An unauthenticated attacker can craft a malicious URI containing script tags or event handlers. If a logged-in administrator (or a user with the Query Monitor authentication cookie) visits this URI, the script will execute in their browser context.

2. Attack Vector Analysis

  • Endpoint: Any URL on the WordPress site (frontend or backend) where Query Monitor is active.
  • Vulnerable Parameter: $_SERVER['REQUEST_URI'] (the path and query string of the request).
  • Authentication: None (Unauthenticated). The attacker crafts the link; the vulnerability is triggered when a privileged user (Admin) views the page.
  • Preconditions:
    • The Query Monitor plugin must be active.
    • The victim must be a logged-in administrator or have a valid Query Monitor authentication cookie.

3. Code Flow

  1. Data Collection: When a page loads, Query Monitor's QM_Collector_Request (part of the core plugin) captures
Research Findings
Static analysis — not yet PoC-verified

Summary

The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to insufficient output escaping of the Request URI in its developer panels. An unauthenticated attacker can craft a malicious link containing script tags that execute arbitrary JavaScript in the context of a logged-in administrator's browser when they view the plugin's overview or request data.

Vulnerable Code

/* output/Html.php line 487 */
	public static function format_url( $url ) {
		// If there's no query string or only a single query parameter, return the URL as is.
		if ( ! str_contains( $url, '&' ) ) {
			return $url;
		}

		return str_replace( array( '?', '&amp;' ), array( '<br>?', '<br>&amp;' ), esc_html( $url ) );
	}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/query-monitor/3.20.3/output/Html.php	2026-03-17 12:50:36.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/query-monitor/3.20.4/output/Html.php	2026-03-19 17:11:48.000000000 +0000
@@ -487,7 +487,7 @@
 	public static function format_url( $url ) {
 		// If there's no query string or only a single query parameter, return the URL as is.
 		if ( ! str_contains( $url, '&' ) ) {
-			return $url;
+			return esc_html( $url );
 		}
 
 		return str_replace( array( '?', '&amp;' ), array( '<br>?', '<br>&amp;' ), esc_html( $url ) );

Exploit Outline

The exploit targets the way Query Monitor displays the current request's URI in its UI panels. 1. An attacker constructs a URL for the target WordPress site that includes a malicious XSS payload within the path or query string, for example: `http://example.com/wp-admin/index.php?foo=<script>alert(document.domain)</script>`. 2. The attacker tricks a logged-in administrator (who has Query Monitor active) into visiting this URL. 3. Upon page load, Query Monitor's collector captures the raw `$_SERVER['REQUEST_URI']`. 4. When the administrator opens the Query Monitor interface (or if it is already open), the `format_url` function in `output/Html.php` processes the URI for display in the 'Overview' or 'Request' panels. 5. Because the URI (containing the payload) may not contain an ampersand (`&`), the vulnerable version of `format_url` returns the raw, unescaped string directly to the HTML output, causing the browser to execute the injected script.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b75cad9-9f76-4839-8eb2-40d84662846d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database